Add bastion network

2 years ago · f4acc8949c
parent 64772b76e4
commit f4acc8949c
3 changed files with 35 additions and 0 deletions
--- a/roles/nftables_infra/templates/nftables.d/10-vars.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/10-vars.conf.j2
@ -21,6 +21,9 @@ define pve_ipv4 = 10.134.0.0/16
 define router_ipv6 = 2a09:6840:135::/48
 define router_ipv4 = 10.135.0.0/16

+define bastion_ipv6 = 2a09:6840:136::/48
+define bastion_ipv4 = 10.136.0.0/16
+
 define infra_ipv6 = {
 	$public_server_ipv6,
 	$server_ipv6,
@ -29,6 +32,7 @@ define infra_ipv6 = {
 	$bmc_ipv6,
 	$pve_ipv6,
 	$router_ipv6,
+	$bastion_ipv6,
 }
 define infra_ipv4 = {
 	$public_server_ipv4,
@ -38,6 +42,7 @@ define infra_ipv4 = {
 	$bmc_ipv4,
 	$pve_ipv4,
 	$router_ipv4,
+	$bastion_ipv4,
 }

 # FIXME: temporary
@ -45,11 +50,13 @@ define egress_internet_ipv6 = {
 	$server_ipv6,
 	$pve_ipv6,
 	$router_ipv6,
+	$bastion_ipv6,
 }
 define egress_internet_ipv4 = {
 	$server_ipv4,
 	$pve_ipv4,
 	$router_ipv4,
+	$bastion_ipv4,
 }

 # FIXME: bad ipv6 address
--- a/roles/nftables_infra/templates/nftables.d/40-input.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/40-input.conf.j2
@ -10,6 +10,13 @@ table inet input {
 		}
 	}

+	chain input_from_server {
+		jump conntrack
+
+		ip6 saddr $prom_infra_ipv6 dport 9100 accept
+		ip saddr $prom_infra_ipv4 dport 9100 accept
+	}
+
 	chain input_from_backbone {
 		ip6 nexthdr { ospf, vrrp } accept
 		ip protocol { ospf, vrrp } accept
@ -22,6 +29,12 @@ table inet input {
 		tcp dport ssh counter accept
 	}

+	chain input_from_bastion {
+		jump conntrack
+
+		tcp dport ssh counter accept
+	}
+
 	chain input_from_anywhere {
 		jump conntrack

--- a/roles/nftables_infra/templates/nftables.d/60-forward.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/60-forward.conf.j2
@ -29,6 +29,9 @@ table inet forward {

 		ip6 saddr $prom_infra_v6 tcp dport 9100 counter accept
 		ip saddr $prom_infra_v4 udp dport 161 counter accept
+
+		ip6 saddr $bastion_ipv6 dport ssh accept
+		ip saddr $bastion_ipv4 dport ssh accept
 	}

 	chain forward_to_backbone {
@ -39,6 +42,9 @@ table inet forward {

 		ip6 saddr $prom_infra_v6 udp dport 161 counter accept
 		ip saddr $prom_infra_v4 udp dport 161 counter accept
+
+		ip6 saddr $bastion_ipv6 dport ssh accept
+		ip saddr $bastion_ipv4 dport ssh accept
 	}

 	chain forward_to_bmc {
@ -46,6 +52,9 @@ table inet forward {

 		ip6 saddr $prom_infra_v6 udp dport 161 counter accept
 		ip saddr $prom_infra_v4 udp dport 161 counter accept
+
+		ip6 saddr $bastion_ipv6 dport ssh accept
+		ip saddr $bastion_ipv4 dport ssh accept
 	}

 	chain forward_to_pve {
@ -53,6 +62,9 @@ table inet forward {

 		ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
 		ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
+
+		ip6 saddr $bastion_ipv6 dport ssh accept
+		ip saddr $bastion_ipv4 dport ssh accept
 	}

 	chain forward_to_router {
@ -60,6 +72,9 @@ table inet forward {

 		ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
 		ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
+
+		ip6 saddr $bastion_ipv6 dport ssh accept
+		ip saddr $bastion_ipv4 dport ssh accept
 	}

 	chain forward_to_internet {